Skip to main content

SYN question

More
14 years 11 months ago #32911 by kogula14
SYN question was created by kogula14
Hi,

I found out my client web page cannot be load as it shows "Connection Timed Out" error message. I suspected that maybe got SYN attack in that server. After i run the below command:-

[root@server1403 ~]# netstat -n | grep :80 | grep SYN |wc -l
157

My question is:-

When i check, one 1 Ip utilze 1 SYN. Is it really a SYN attack or not?
Or it is high load due to high users at one time, that is why can't open the web page??

Thanks
More
14 years 11 months ago #32919 by cooluswiz
Replied by cooluswiz on topic Syn Attack
Assuming that you know the three way handshake, is the web server in DMZ - Behind the firewall. Further take a trace on your firewall preferably on both interfaces (Inbound/Outbound) to eliminate the same.
More
14 years 11 months ago #32933 by kogula14
Replied by kogula14 on topic Re: SYN question
Hi,

I couldn't understand the thing that you mentioned (take a trace on your firewall preferably on both interfaces (Inbound/Outbound) to eliminate the same.)

Do you mean take traceroute or doing netstat??
More
14 years 11 months ago #32940 by S0lo
Replied by S0lo on topic Re: SYN question
kogula14, May be you've done this already but just in case,

Try this at the command prompt of the server:

netstat -n -p TCP

If you see a big list of connections with state: SYN_RECEIVED. Then this could indicate SYN attack.
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
14 years 11 months ago #32943 by FishNBone
Replied by FishNBone on topic Re: SYN question
Hi all!

kogula14 i tried your command on windows vista cmd, mine got alot of 'ESTABLISHED' word in the status and one 'CLOSE_WAIT' and a 'SYN_SENT' what does all of these mean?

Thank you!
More
14 years 10 months ago #33301 by kogula14
Replied by kogula14 on topic Re: SYN question
Hi,

Thanks for every1 help me...

support.microsoft.com/kb/137984
Time to create page: 0.135 seconds